When you used the Configure Your Server Wizard to promote the first domain controller in a forest, prior to
applying Service Pack 2 (SP2), the password for Directory Service Restore mode
and the Recovery Console was set to a null value. This leaves the first domain controller in a forest open to
a local attack, if it is NOT physically secured.

After applying SP2, or later, to the vulnerable domain controller,
run: